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BACKGROUND OF THE INVENTION 
[02] The present invention relates generally to the field of content 
communication and more specifically to a system for communicating video content on 
5 demand through a communication network. 

[03] Conventional systems for delivering video content on demand to 
subscribers are becoming well known. VOD (video on demand) is an interactive service in 
which content (e.g., video) is dehvered to a subscriber over a point-to-point network (e.g., a 
cable system) on an on demand basis. A subscriber may order and receive programming 
10 content at any time, without adhering to a predefined showing schedule. The subscriber is 

often provided VCR-like motion control functions, such as pause (freeze fi-ame), slow 
t motion, scan forward, and slow backward. The subscriber is typically allowed multiple 
5 viewings of a purchased program within a tune window, e.g., 24 hours. VOD mimics (or 
^ exceeds) the level of confi-ol and convenience of rental video tapes. For a VOD service to 
1 5 prevent unauthorized access, the system implementing it provides some form of conditional 
^ access. 

i Conditional Access 

M. [04] The system implementing VOD provides the capabihty to limit 

20 content access to authorized subscribers only, as the contents delivered as part of the service 
are generally considered valuable intellectual properties by their owners. In cable and 
satellite television, such capability is known as conditional access. Conditional access 
requires a trustworthy mechanism for classifying subscribers into different classes, and an 
enforcement mechanism for denying access to unauthorized subscribers. Encryption is 

25 typically the mechanism used to deny unauthorized access to content (as opposed to carrier 
signal). 

Entitlement Management Messages 

[05] EMMs (Entitiement Management Messages) are control messages 
30 that convey access privileges to subscriber terminals. Unlike ECMs (Entitlement Control 
Messages) (discussed below) which are embedded in transport muhiplexes and are 
broadcast to multiple subscribers, EMMs are sent unicast-addressed to each subscriber 
terminal. That is, an EMM is specific to a particular subscriber. In a typical 
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implementation, an EMM contains information about the monthly key, as well as 
information that allows a subscriber terminal to access an ECM which is sent later. EMMs 
also define the tiers for each subscriber. With reference to cable services, for example, a 
first EMM may allow access to HBO™, ES?W^ and Cm^^. A second EMM may allow 
5 access to ESPN^m, INN^m and BET™, etc. 

Entitlement Control Messages 

[061 In a conditional access system, each content stream is associated with 
a stream of ECMs that serve two basic functions: (1) to specify the access requirements for 
10 the associated content stream (i.e., what privileges are required for access for particular 

programs); and (2) to convey the information needed by subscriber terminals to compute the 
IP cryptographic key(s), which are needed for content decryption. ECMs are transmitted in- 
band alongside their associated content streams. Typically, ECMs are cryptographically 
protected by a "monthly key" which changes periodically, usually on a monthly basis. The 
A 5 monthly key is typically distiibuted by EMMs prior to the ECMs, as noted above. 

Encryption 

' [07] In a cable system, carrier signals are broadcast to a population of 

subscriber terminals (also known as set-top boxes). To prevent unauthorized access to 

:20 service, encryption is often employed. When content is encrypted, it becomes unintelligible 
to persons or devices that don't possess the proper cryptographic key(s). 

[08] Disadvantageously, for VOD, real-time encryption poses much 
greater cost and space issues. A medium-sized cable system may have, for example, 50,000 
subscribers. Using a common estimate of 10% peak simultaneous usage, there can be up to 

25 5000 simultaneous VOD sessions during the peak hours. A typical encryption device can 
process a small number of transport muhiplexes (digital carriers). Over 300 such real-time 
encryption devices will be needed to handle the peak usage in the example system. Such a 
large amount of equipment not only adds significantly to the system cost, but also poses a 
space requirement challenge. 
30 [09] One solution to the aforementioned problem is disclosed in 

copending related application entitled, "SYSTEM FOR SECURELY DELIVERING PRE- 

ENCRYPTED CONTENT ON DEMAND WITH ACCESS CONTROL," serial no. , 

filed July 3, 2001, which is hereby incorporated by reference in its entirety. In U.S. serial 
no. , a system is disclosed that encrypts content offline (typically before the content 
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is requested by the user) before it is distributed to point-to-point systems such as cable 
systems. The system allows content to be encrypted once, at a centraUzed facility, and to be 
useable at different point-to-point systems. Advantageously, the pre-encrypted contents in 
the present invention have indefinite hfetimes. The system periodically performs an 
5 operation called ECM retrofitting, enabling the content to be useable in multiple systems 
and useable multiple times in the same system. The amount of data being processed during 
ECM retrofitting is very small (on the order of several thousand bytes). There is no need to 
reprocess the pre-encrypted contents. This is a significant advantage, as several thousand 
bytes represent only a tiny fraction of the size of a typical 2-hour video program, which is 

1 0 about 3 gigabytes (3,000,000,000 bytes) in size. 

[10] In a first embodiment, the system of U.S. serial no. , includes a 

content preparation system (CPS) for pre-encrypting the content offline to form pre- 

i encrypted content; an encryption renewal system (ERS) for generating entitlement control 
messages (ECMs) that allow the pre-encrypted content to be decryptable for a designated 

15 duration; and a conditional access system (CAS). Conventionally, the CAS controls a 

-: population of set-top boxes using a randomly generated periodical key. Only with 

possession of the periodical key can the pre-encrypted content be decrypted by the set-top 
boxes. The periodical key is initially forwarded to the ERS which thereafter generates an 

' ECM containing information regarding the periodical key. 

- -20 [1 1] Next, the ECM and the periodical key information are retrofitted to 

the pre-encrypted content and are forwarded with the pre-encrypted content to the 
subscriber terminals for decryption. In this fashion, the ERS may be connected to multiple 
systems (and their CASs) for ECM retrofitting for each CAS. As noted, the amount of data 
being processed during ECM retrofitting is very small relative to having to encrypt the 

25 content itself for every CAS system. The problem arises, however, that the periodical key 
must be securely conveyed from each CAS to the ERS. The ERS may be a server, for 
example, remotely located from the CAS located at a cable head end. Frequently, the 
communication link may be insecure such that imauthorized access can be gained by 
pirates. Once the periodical key is accessed, the pre-encrypted content is decryptable. 

30 [12] The security problem also applies to the CPS. As noted, the CPS is 

for pre-encrypting the content offline to form pre-encrypted content. An OLES (off-line 
encryption) device is the mechanism for carrying out the pre-encryption. The OLES 
receives clear content, encrypts the content and generates an associated encryption record 
for each encryption session. Disadvantageously, the OLES is susceptible to being stolen by 
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pirates. In fact, when compromised, the OLES is potentially useable for an indefinite 
period, at least until the compromise is detected by manual means. The outputs of the 
OLES are valuable and the lost revenue from a compromised OLES may be relatively high. 

[131 Therefore, there is a need to resolve the aforementioned problems 
5 relating to conveying cryptographic keys to the ERS and securing the OLES and the present 
invention meets this need. 

SUMMARY OF THE INVENTION 
[14] Various aspects of the present invention are present in a system for 
10 securely deUvering encrypted content on demand with access control. Unlike related art 
systems that employ real time encryption, the embodiments of the present system encrypt 
;:. content offline (typically before the content is requested by the user) before it is distributed 
? to point-to-point systems such as cable systems. The system allows content to be encrypted 
= once, at a centralized faciUty, and to be useable at different point-to-point systems. The 
i 5 system periodically performs an operation called ECM retrofitting enabling the content to 
be useable in multiple systems and at multiple times in the same system. 

[15] Advantageously, the system allows keys (typically but not 
5 necessarily periodical) to be securely delivered from a CAS (conditional access system) to 
: an ERS (encryption renewal system). EMMs (entitlement management messages) 
: ^0 containing the periodical keys are employed. An EMM is generated by a CAS and is 
securely forwarded to the ERS using a fictitious address of a virtual set-top box. 

[1 6] Further, the system of the present invention denies access to pre- 
encrypted content generated by a compromised off-Une encryption device (OLES). The 
system generates encrypted content and an associated encryption record having a time 
25 stamp, and allows the time stamp to be reported as a last authorized time stamp. When 
subsequent content from a compromised OLES is to be accessed, it is determined whether 
the time stamp associated with the subsequent content predates or is contemporaneous to the 
first time stamp. If the subsequent content carries an earlier or contemporaneous time 
stamp, the request is granted; otherwise, it is denied. 
30 [17] According to a first aspect ofthe present invention, a system for 

delivering content on demand to a subscriber terminal through a point-to-point 
communication network is disclosed. The system includes a content preparation module for 
pre-encrypting the content offline to form pre-encrypted content; an on-demand module 
receiving the pre-encrypted content from the content preparation module, and for 
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forwarding the pre-encrypted content to the subscriber terminal when authorized; an 
encryption renewal system interfacing with the on-demand module to generate entitlement 
control messages allowing the pre-encrypted content to be decryptable for a designated 
duration; and a conditional access system for providing a periodical key to the encryption 
5 renewal system, to permit generation of the entitlement control message which conveys to 
the subscriber terminal information required to compute the periodical key in order to 
enable decryption of the pre-encrypted content. 

[1 8] According to another aspect of the present invention, a method for 
use in a communication system is disclosed. The method is for forwarding messages 
1 0 containing periodical keys from one or more access systems that control a population of set- 
top boxes to an encryption renewal system. The method includes storing a fictitious address 
of a virtual set-top box; generating a first message based on the fictitious address, the 
message containing a first periodical key; and forwarding the first message to the fictitious 
address of the virtual set-top box. In a further aspect, the method includes the encryption 
1 5 renewal system, which has knowledge of the fictitious address, receiving the first message. 

[19] According to another aspect of the present invention, the virtual set- 
top box appears to the first conditional access system as one of the population of set-top 
boxes within its control. 

[20] According to another aspect of the present invention, the method 
20 involves the steps of storing, by a second conditional access system, the fictitious address of 
the virtual set-top box; generating, by the second conditional access system, a second 
message having a second periodical key; and forwarding, by the second conditional access 
system, the second message to the fictitious address. 

[21] According to another aspect of the present invention is a conditional 
25 access system controlling a population of set-top boxes. The conditional access system 
includes one or more software instructions for storing a virtual set-top box address 
appearing as part of the population of set-top boxes; one or more software instructions for 
generating an entitlement management message having a cryptographic key for controlling 
the population of set-top boxes and the virtual set-top box; and one or more software 
30 instructions for forwarding the entitiement management message to the virtual set-top box 
address. 

[22] According to another aspect of the present invention, one 
embodiment discloses an encryption renewal system. The encrj^jtion renewal system 
features one or more software instructions for storing information relating to a virtual set- 
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top address; one or more software instructions for receiving from a first conditional access 
system a first entitlement management message having a periodical key, the entitlement 
management message being intended for receipt by the virtual set-top address; and one or 
more software instructions for deriving the periodical key from the entitlement management 
5 message. Further, the encryption renewal system includes one or more software 

instructions for determining that the entitlement management message is from the first 
conditional access system. 

[23] According to another aspect of the present invention, the encryption 
renewal system further includes one or more software instructions for receiving from a 
10 second conditional access system a second entitlement management message having a 
periodical key, the entitlement management message being intended for receipt by the 
virtual set-top address; and one or more software instructions for deriving the periodical key 
from the entitlement management message, 
f [24] According to another aspect of the present invention, the encryption 

1 5 renewal system further includes a database for storing the first periodical key of the first 

conditional access system, and a second periodical key associated with a second conditional 
access system. 

[25] According to another aspect of the present invention, the present 
invention is a conditional access system for controlHng a population of set-top boxes. The 

20 conditional access system contains a means for storing a virtual set-top box address 

appearing as part of the population of set-top boxes; a means for generating an entitlement 
management message having a periodical key through which the conditional access system 
controls the population of set-top boxes; and a means for forwarding the entitlement 
management message to the virtual set-top box address, wherein said means may be 

25 software instructions, hardware or a combination of both. 

[26] According to another aspect of the present invention, the virtual set- 
top box address is unique to avoid collisions. 

[27] According to another aspect of the present invention, an encryption 
renewal system includes means for storing information relating to a virtual set-top address; 

30 means for receiving from a first conditional access system a first entitlement management 
message having a periodical key, the entitlement management message being intended for 
receipt by the virtual set-top address; and means for deriving the periodical key from the 
entitlement management message is disclosed. In another aspect, the encryption renewal 
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system includes means for determining that the entitlement management message is from 
the first conditional access system. 

[28] According to another aspect of the present invention, a method is 
employed for controlling access to the pre-encrypted content in a network. The method 
5 includes encrypting clear content to form a first pre-encrypted content; generating a first 
encryption record having a first time stamp associated with the step of encrypting clear 
content; adding a cryptographic signature to the encryption record; reporting the first time 
stamp as a last permissible time stamp; receiving a request to provide access to a second 
pre-encrypted content, the request being accompanied by a second encryption record having 
10 a second time stamp; and determining whether the second encryption record has been 
altered. 

[29] If the second encryption record has been altered, the method includes 
denying the request to provide access the second pre-encrypted content; if no alteration to 
the second encryption record has occurred, determining whether the second time stamp 

1 5 predates or is contemporaneous to the first time stamp; if the second time stamp predates or 
is contemporaneous to the first time stamp, providing access to the second pre-encrypted 
content in accordance with the request; and if the second time stamp is subsequent to the 
first time stamp, denying the request to provide access to the second pre-encrypted content. 
The step of receiving is implemented by an encryption renewal system for retrofitting the 

20 pre-encrypted content with entitlement control messages. 

[30] According to another aspect of the present invention, is a system for 
denying access to second pre-encrypted content generated by a compromised off-line 
encryption device. The system comprises the off-line encryption device having one or more 
software instructions for encrypting content to form a first encrypted content and an 

25 associated first encryption record having a first time stamp; and an encryption renewal 
system having one or more software instructions for receiving a signal indicating the first 
time stamp as a last authorized time stamp, one or more software instructions for receiving a 
request to access the second pre-encrypted content, the request being accompanied by a 
second encryption record having a second time stamp; and one or more software 

30 instructions for determining whether the second time stamp predates or is contemporaneous 
to the first time stamp. If the second time stamp predates or is contemporaneous to the first 
time stamp, the request to access the second pre-encrypted content is granted, and if the 
second time stamp is subsequent to the first time stamp, the request to access the second 
pre-encrypted content is denied. 



[31] According to another aspect of the present invention, an encryption 
renewal system for controlling access to pre-encrypted content generated by an encryption 
device is disclosed. The system contains one or more software instructions for receiving a 
request to retrofit an entitlement control message that allows a home device to access pre- 
5 encrypted content; and one or more software instructions for retrofitting the entitlement 

control message only after verifying that the pre-encrypted content was generated prior to or 
contemporaneous with an authorized time stamp. 

[32] According to another aspect of the present invention, an encryption 
renewal system for controlling access to pre-encrypted content generated by an encryption 
1 0 device is disclosed. The system includes a means for receiving a request for an entitlement 
control message that allows a home device to access pre-encrypted content; a means for 
receiving a signal providing a first time stamp that was authorized; and a means for 
generating the entitlement control message only after verifying when the pre-encrypted 
content was generated. 

1 5 [33] According to another aspect of the present invention, is an offline 

encryption device including one or more software instructions for generating a first time 
stamp marking when a first encrypted content is generated; and one or more software 
instructions for generating a second time stamp marking when a second encrypted content is 
generated, such that if the first time stamp is the last authorized, the second encrypted 

20 content is decrypt-able only if the second time stamp is prior to or contemporaneous with 
the first time stamp. 

[34] According to another aspect of the present invention, the device 
includes one or more software instructions for determining whether the cryptographic 
signature has been altered. 

25 [35] According to another aspect, the device includes an encryption 

renewal system for receiving a signal providing that the first time stamp is the last 
authorized time stamp. 

[36] According to another aspect of the present invention, is an offline 
encryption device having a means for generating a first time stamp marking when a first 

30 encrypted content is generated; and a means for generating a second time stamp marking 
when a second encrypted content is generated, such that if the first time stamp is the last 
authorized, the second encrypted content is decryptable only if the second time stamp is 
prior to or contemporaneous with the first time stamp. The offline encryption device 
includes a means for generating an encryption record having the first time stamp. 
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[37] The present invention incorporates all of the advantages of point-to- 
point services (i.e., video on demand) such as the inability of unauthorized persons to access 
content since there are no predefined schedules and VOD service is interactive and 
delivered to only a single subscriber. Advantageously, the present invention protects 
investments in OLES and their associated content by preventing access by unauthorized 
persons. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[38] Fig. 1 shows a system architecture for delivering encrypted content to 
a subscriber in accordance with a first embodiment of the present invention. 

[39] Fig. 2 is a block diagram of a communication network for conveying 
periodical keys to a single ERS. 

[40] Fig. 3 is a flow diagram for forwarding EMMs containing periodical 
keys from the CAS to the ERS. 

[41] Fig. 4 is an exemplary flow diagram of the steps for controlling 
access to pre-encrypted content in accordance with a first embodiment of the present 
invention. 

[42] A further understanding of the nature and advantages of the invention 
herein may be reahzed by reference to the remaining portions of the specification and the 
attached drawings. 

DETAILED DESCRIPTION OF THE INVENTION 
[43] A first embodiment of the present invention discloses a system for 
securely delivering encrypted content on demand with access control. The system encrypts 
the content prior to being distributed through a communication system such as a cable 
system, for example. Content is encrypted once at a centrahzed facility and is useable at 
different point-to-point systems and point-to-multipoint systems. Advantageously, the pre- 
encrypted contents in the present invention have indefinite lifetimes. The system 
periodically performs an operation called ECM retrofitting to keep pre-encrypted contents 
usable. 

[44] The system allows periodical keys to be securely delivered from a 
CAS (conditional access system) to an ERS (encryption renewal system). An EMM 
(entitlement management message) containing the periodical keys is employed. The EMM 
is generated by a CAS and is securely forwarded to the ERS using a fictitious address of a 
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virtual set-top box. The EMM having a periodical key is then forwarded to the ERS using 
the fictitious address of the virtual set-top box. 

[45] Further yet, the system of the present invention can deny access to 
pre-encrypted content generated by a compromised off-line encryption device (OLES). The 

5 system generates encrypted content and an associated encryption record having a time 
stamp, and allows the time stamp to be reported as a last authorized time stamp. When 
subsequent content from a compromised OLES is to be accessed, it is determined whether 
the time stamp associated with the subsequent content predates or is contemporaneous to the 
first time stamp. If yes, the request is granted, otherwise, it is denied. 

10 [46] Fig. 1 is a system architecture 100 for delivering encrypted content to 

a subscriber in accordance with a first embodiment of the present invention. 

[47] Among other components, system architecture 100 comprises a 
content preparation system (CPS) 102 for pre-encrypting content, video on demand (VOD) 
system 108 storing encrypted programs for distribution to subscribers on an on demand 

15 basis, conditional access system 1 10 for controlling one or more keys granting access to 
pre-encrypted content, an encryption renewal system 104 ERS accepting requests from the 
video on demand system to generate new entitlement confrol messages for pre-encrypted 
content, a distribution network 112 for distributing content, and an interactive network 1 14 
providing two-way interaction between the subscriber and the content system. Although not 

20 shown, one of ordinary skill in the art would realize that other components and 

arrangement for achieving the various functionalities of system architecture 100 are 
possible. For example, VOD system may be coupled directly to CAS 1 10 and 
functionalities consolidated in both components smce both components are typically located 
within a cable system head end. 

25 [48] In operation, the VOD system 108 is installed to provide VOD to 

subscribers. Before going live, VOD system 108 goes through a registration process with 
the ERS 104. This establishes the identity of the VOD system 108 to the ERS so it can 
produce proper and appropriate responses specific to that VOD system installation. Once 
the VOD system registration is complete, content may be added to the VOD system and 

30 made available to subscribers. Clear content (a), such as a movie, originates from a content 
provider and begins its entry to the VOD at CPS 102. Here, the clear content is encrypted 
using an Off Line Encryption System (OLES) (not shown), which pre-encrypts the content 
in preparation for dehvery by VOD system 108. The OLES also generates an encryption 
record associated with the encrypted content. Note that the VOD system may keep the 
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encryption record with the pre-encrypted content at all times as it identifies the content for 
later processing and decryption within VOD system 108. 

[49] Once the clear content is encrypted at the OLES, the resulting pre- 
encrypted content and associated encryption record are delivered to VOD system 108 for 
5 storage on the local server. Advantageously, multiple VOD systems may be coupled to 
CPS 102 such that content is encrypted once and distributed to the systems. VOD system 
108 is responsible for keeping the pre-encrypted content and associated encryption record 
together. Before the pre-encrypted content may be requested or viewed by subscribers in 
their homes, VOD system 108 obtains suitable Entitlement Control Messages (ECMs) from 

10 the ERS 104. The VOD system submits an ECM request to ERS 104, containing the 
encryption record (c) for the desired pre-encrypted content. 

[50] ERS 1 04 responds with the proper ECMs, an ERS synchronization 
number, and a callback time. The ECMs are created specifically for the particular pre- 
: encrypted content and particular point-to-point system within which the VOD system 
- 15 operates, and for a particular time period. The ECMs encrypt content using a key (typically 
periodical) provided by each conditional access system (CAS 110 in the present case) 
controlling the set-top boxes. VOD system (108) inserts the received ECMs into the 
streams along with the pre-encrypted content whenever it is spooled out to a subscriber. 
The ECMs are inserted into the streams with the content. 

20 [51] It should be observed that ECMs returned to VOD system 1 08 by 

ERS 104 are valid and usable with the pre-encrypted content only for a limited time — ^the 
exact time, determined by CAS 1 10, is not predictable in advance. Thus, the callback time 
returned with the ECMs indicates the time by which VOD system 108 should check with 
the ERS to see if ECMs for all pre-encrypted content may be updated. When the VOD 

25 system receives the callback time it should be stored and tracked against the current time. If 
the callback time is reached and the VOD system 108 has not contacted ERS 104 in the 
intervening time, then VOD system 1 08 attempts to contact the ERS 1 04 even if it has no 
new ECM requests to fulfill. 

30 Content Preparation System (CPS) 

[52] In Fig. 1, content preparation system (CPS) 102 is a centralized 
facility for preparing contents according to the requirements of the VOD system (VOD) 108 
and those of the Conditional Access system (CAS) 110. CPS 102 encodes content in a 
format (e.g., MPEG-2) suitable for storage on video servers and for distribution to the 
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subscriber terminals. For content that is already available in the suitable format, this 
encoding step may be unnecessary. CPS 102 also functions to encrypt digitally encoded 
content according to the specifications of CAS 1 10. 

[53] The encryption process involves generating one or a series of 

5 cryptographic keys. As part of the encryption process, the cryptographic keys, or the 
parameters used in their generation, are saved in a data structure called an encryption 
record. The encryption record is protected by encryption to prevent unauthorized access to 
the keys. CPS 102 may package encrypted programs with the associated encryption 
records, which may additionally contain useful but nonessential information about the 

10 content. Such information may include program title, identification of the program assigned 
by different parties, encoding parameters, program length, etc. CPS 102 may serve multiple 
cable systems or multiple point-to-point systems. 

[54] Although not shown, CPS 102 includes an OLES (offline 
encryption) device for performing the aforementioned functionality. The OLES uses one or 

15 more non-real-time, or offline, encryption devices to encrypt content. A given OLES 

generates program-specific cryptographic keys that are used to encrypt content. The OLES 
is protected by physical security including physical access control and secure packaging. 
The OLES includes functions such as accepting encryption control provisioning parameters 
from the ERS including cryptographic information to support content encryption; selecting 

20 one or more cryptographic keys based on the encryption control parameters and system 
configuration which keys are used for encrypting the program content; generating an 
encryption record, which contains information about the keys used to encrypt the content. 
This record itself is encrypted to maintain the security of the encryption record; encrypting 
the program content using the chosen keys; and providing the encrypted content and the 

25 encryption record to the CPS, for subsequent transfer to at least one VODS. 

[55] Typically, an OLES is registered and authorized by the ERS 1 04 
prior to having ability to perform encryption operations. ERS 104 provides a removable 
disk containing authorization and configxiration parameters for the OLES such data being 
processed during initial setup. The OLES may use various encryption modes. 

30 [56] The OLES is capable of processing an MPEG content in an off-hne 

marmer whereby the raw content has been completely encoded and is obtainable from a 
server (VOD or other server) or has been placed onto the OLES system. One of ordinary 
skill will realize that the above guidelines are exemplary and other embodiments having 
different guidelines are possible. 
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Video On Demand System (VOD system) 

[57] VOD system 108 comprises one or more video servers adapted for 
video on demand applications. The servers store encrypted programs for distribution to 
subscribers on an on demand basis. Thereafter, the pre-encrypted programs are routed and 
streamed to the authorized subscribers. In addition, VOD system 108 accepts purchase 
requests from subscriber terminals, and validates and authorizes such purchase requests as 
appropriate. In some instances, after a purchase request is approved, the VOD purchases 
may be temporarily stored imtil requested by the subscriber. 

[58] VOD systems generally are well known in the art and need not be 
described in detail. Thus, VOD system 108 may comprise off the shelf items including 
hardware and software and/or customizable software in accordance with one embodiment of 
the present invention. 

Conditional Access System (CAS) 

[59] As noted, content system 100 includes a conditional access system 
(CAS) 110. CAS 1 10 permits access to pre-encrypted content by subscriber terminals by 
provisioning them with EMMs, and generating ECMs for non-VOD services. Other 
functions of CAS 110 include controlling real-time encryption devices in the cable system; 
reporting the (scheduled) occurrence of monthly key changes to the encryption renewal 
system (described below), and transmitting cable system-specific cryptographic parameters 
(e.g., monthly keys) to the encryption renewal system to enable ECM retrofitting. CAS 110 
may be located either on site or off site, and may serve multiple cable systems, in which 
case CAS 1 10 acts as muhiple logical conditional access systems. Furthermore, CAS 110 
interfaces with the Billing System to obtain authorization information about each 
subscriber, and to report purchases to the Bilhng System. CAS systems are well known in 
the art and may comprise off the shelf items. In addition, one of ordinary skill in the art 
such as a programmer can develop code as may be necessary to accommodate the present 
invention. 

Billing System (BS) 

[60] BS 106 interfaces with both VOD system 1 08 and CAS 1 10 to 
provide the following functions: (1) accepting subscription and service change requests 
from subscribers; (2) maintaining subscriber account information; (3) billing subscribers; 
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(4) interfacing with VOD system 108 to provide the latter with subscriber authorization 
status, and to collect video on demand purchase information from the latter; and (5) 
providing subscriber authorization status, service and event definition information, and to 
collecting purchase information. 

5 

Encryption Renewal System (ERS) 

[61] As shown in Fig. 1, ERS 104 interfaces with CPS 102, VOD system 
108 and CAS 110. ERS 104 enables pre-encrypted content to be distributed to VOS system 
108 and other authorized VOD system entities while enabling access control within each 
10 CAS 1 10. The ERS performs ECM renewal (ECM retrofitting) in synchronization with 
category epoch rollover events occurring within each participating CAS 1 10. A category 
epoch is the nominal period during which a periodical key used by CAS 110 to protect the 
distribution ofECM keys is in effect. 

f [62] Encrypted content from the CPS is unusable until an initial ECM 

15 "renewal" operation is performed. To make the content usable for the first time, VOD 

J system 108 contacts ERS 104 to obtain the first set of ECMs. Henceforth, ECM renewal is 
performed periodically to keep vahd ECMs associated with each content title on the VOD 

t system. ERS 104 functions include: generating encryption control parameters for 

initializing OLES devices, communicating with the CAS in different point to point systems, 

- 20 accepting requests from a VOD system to generate ECMs for pre-encrypted content, 
computing refrofitted ECMs, sending retrofitted ECMs to the requesting VODS, and 
maintaining databases of appropriate parameters. ERS 104 may also interface with VOD 
system 108 to forward information about (scheduled) monthly key changes to VOD system 
108. 

25 [63] ERS 104 is implementable using hardware, software or a 

combination of both. For example, a number of platforms such as Sun/SolarisTM and 
coding language such as Java™ or servers like Apache Group's Apache™, Microsoft's 
IIS™, and operating environments such as Windows NT™, NetBSD™ may be employed in 
the present invention. 

30 

Distribution Network 

[64] Distribution Network 1 12 is a network that distributes signals to all 
or a subset of the subscribers in the system. Distribution Network 112 may comprise hybrid 
fiber-coax (HFC) technology, for example. In an HFC network, for example, broadcast 
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signals are distributed from the head end (central office) to a number of second level 
facihties (distribution hubs). Each hub in turn distributes carriers to a number of fiber 
nodes. In a typical arrangement, the distribution medium from the head-end down to the 
fiber node level is optical fibers. Subscriber homes are connected to fiber hubs via coaxial 

5 cables. At some level of distribution facility (hub, fiber node, or other distribution 

facihties), video on demand carriers are broadcast to a subset of the subscriber terminal 
population served by the distribution facility. This typically occurs at the fiber node level. 
This arrangement allows the reuse of video on demand carrier frequencies, say across fiber 
nodes, because different fiber nodes broadcast different video on demand carriers to the 

10 subscribers they serve. 

Interactive Network 

[65] Interactive network 1 14 is communicably coupled to VOD system 
108 and set top population 120 to provide a two-way communication capabiUty between 
1 5 the subscriber terminals and the VOD system 1 08 . Interactive Network 1 1 4 may share 
some of the physical infrastructure of Distribution Network 112. 

Renewing ECMs 

[66] ECM retrofitting is the process of generating ECMs for pre-encrypted 
20 contents so that they are useable in different cable systems and despite monthly key 

changes. It is performed by a server hosted in ERS 104, which is a secure environment. 
Content is encrypted prior to a request from a subscriber terminal. ERS 104 provisions the 
offline encryption devices in CPS 102 with encryption confrol parameters, which, among 
other fimctions, enable ERS 104 to retrieve information from encryption records generated 
25 by the CPS. This provisioning need be done only infrequently, or possibly just once. It 
need not be done with every ECM retrofitting request from the VOD system 108. 

[67] Next, an encryption record of parameters for encrypting the content is 
generated. VOD system 108 estabUshes a secured connection to ERS 104. To make a pre- 
encrypted program usable in a particular system for a particular period, VOD system 108 
30 sends the encryption record to ERS 1 04 which checks the authorization status of the 
requested content from VOD system 108. If the authorization check fails, ERS 104 
terminates the session. Otherwise, the process continues. ERS 104 generates one or more 
ECMs for the pre-encrypted program using the periodical cryptographic key associated with 
the cable system (and possibly other parameters required by the CAS). The ECM(s) are 
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created in such a way that they will be valid until the periodical cryptographic key of the 
target system changes again. ERS 104 sends the retrofitted ECM(s) and pre-encrypted 
content to the subscriber via VOD system 108. 

[68] Fig. 2 is a block diagram of a communication network 200 for 
5 conveying periodical keys to a single ERS 202. 

[69] Among other components, communication network 200 comprises 
ERS 202 for receiving the periodical keys from one or more point-to-point systems 204, 
206, 208; a database (not shown) for storing the periodical keys; and entitlement 
management messages (EMM) (not shown) for conveying the periodical keys to ERS 202. 
10 Point-to-point system or first cable system 204 contains a conditional access system (CAS) 
218 for controlling a population of set-top boxes 226, 228 and a VOD server system (not 
shown). Conventionally, CAS 218 controls the population of set-top boxes by forwarding 
r-: EMMs (entitlement management messages) having the periodical keys to each set-top box. 
l_ [70] Advantageously, the present invention exploits this feature by having 

1 5 CAS 2 1 8 forward the periodical keys to ERS 202 using EMMs. ERS 202 uses the keys to 
generate the ECMs that are returned to the point-to-point systems with the pre-encrypted 
content. Therefore, as will be recognized by one of ordinary skill in the art, conventional 
f CASs require less modification to accommodate the present invention because the CASs 

have the know-how to generate EMMs. It should be noted that each EMM is generated for 
: 20 a specific set-top box. Within each set-top box is the unit key (seed) (not shown) included 
at time of manufacture and each CAS knows the unit key for each set-top box within its 
domain. The EMM generated carries the periodical key and other information all of which 
are encrypted using the unit key. In addition, as shown in Fig. 2, cable system 206 includes 
a CAS 230, set-top boxes 224, 250 a VOD system (not shown). A CAS 216, set-top boxes 
25 220, 222 and a VOD system (not shown) are located within point-to-point system 208. 

[71] In operation, in order to generate the ECMs, the EMMs having 
periodical keys must be forwarded to ERS 202 in a secure fashion as will be discussed with 
reference to Fig. 3. 

[72] Fig. 3 is a flow diagram for forwarding EMMs containing periodical 
30 keys from CAS 216 to ERS 202 (Fig. 2). Although, not shown, the method of the present 
invention is also applicable to transfer of EMMs from CAS 218 and CAS 230 to ERS 202. 

[73] At block 302, the method involves storing a fictitious address of a 
virtual set-top box. That is, a fictitious address is defined for a non-existent set-top box. 
CAS 216 is informed of the virtual set-top box No. 1234, for example. Thereafter, ERS 202 
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needs to track only the unit key applicable to set-top box 1234 and not those for every set- 
top box in its population. The fictitious address is used by all of the CASs to address ERS 
202 which appears as a set-top box to all of the CAS systems. Each CAS system is 
deceived into considering the fictitious address as part of their set-top box population. The 
methodology of defining a single virtual set-top box is particularly advantageous because 
simplicity is maintained. If each of the CASs were to forward a random EMM, ERS 202 
may become overly complex in terms of the required hardware and software. Similarly, 
complexity is avoided by not choosing at random a set-top box to convey the EMM. 
Otherwise, ERS 202 would have to track too many set-top boxes to receive the EMM. 
Moreover, by preassigning the virtual set-top box, the possibihty of colhding with a real set- 
top box address is avoided. 

[74] At block 304, the method involves generating an EMM based on the 
fictitious address, the EMM containing the periodical key for cable system 208. 

[75] At block 306, the step of forwarding the EMM to the fictitious 
address of the virtual set-top box is illustrated. As noted, the fictitious address appears to be 
within the CAS 216 set-top box population. 

[76] At block 308, the method includes the step of receiving the EMM by 
ERS 202 which has information concerning the fictitious address. ERS 202 contains secure 
code and acts like a set-top to derive the clear periodical key fi:om the EMM. The 
periodical key is typically buried inside the EMM. ERS 202 also contains database (not 
shown) which stores the periodical key associated with each CAS. In this fashion, upon 
receiving an EMM, ERS 202 retrofits the requisite ECM having the periodical key for 
forwarding to the appropriate cable system. Although not shown, one of ordinary skill in 
the art will realize that communication hnks 242, 240 may comprise wired telephone line, 
fiber, satellite or radio frequency channel for example. In fact, no physical link may exist 
e.g. SneakerNet wherein the EMM is manually collected on a floppy disk and walked over 
to ERS 202. The so-called SneakerNet provides the advantage of erecting a physical barrier 
between the components. 

[77] Fig. 4 is an exemplary flow diagram of the steps for controlHng 
access to pre-encrypted content in accordance with a first embodiment of the present 
invention. The present method ensures that the pre-encrypted content generated by a 
compromised OLES is inaccessible to subscribers. 

[78] Referring to Figs. 1 and 4, at block 402, the method involves 
encrypting clear content to form a first pre-encrypted content during an encryption session. 
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The encryption is performed at CPS 102 which has one or more offline encryption systems 
(OLES) to perform the actual encryption. The OLES generates the program-specific 
cryptographic key(s) used to encrypt content, and is protected by physical security (physical 
access control or secure packaging). The encryption part of the content preparation process 
5 consists of the following steps: (1) ERS 104 provides the OLES with encryption control 
parameters. Such parameters may be used, for example, for the protection of encrj^Jtion 
records by means of encryption; (2) and the offline encryption devices select one or more 
cryptographic keys (depending on configuration) which are used to encrypt the content. 

[79] At block 404, the method comprises generating a first encryption 

10 record having a first time stamp associated with the step of encrypting clear content. The 
time stamp marks when the OLES encryption session took place. Each OLES session is 
time stamped so that when the OLES is compromised, the legal owner can trace the last 
legal OLES session. The timestamp may be provided using a personal computer (PC) 
clock, for example. However, this alternative remains vulnerable because a pirate who 

15 compromised the OLES can easily reset the PC clock. Advantageously, the present 

invention employs secure software embedded in hardware within the OLES to generate the 
time stamp. In one embodiment, the time stamp is an ascending number generated by the 
secure software. The OLES generates the encryption record containing information about 
the keys used to encrypt the program. The OLES encrypts the clear content using the 

20 chosen key(s) and the pre-encrypted content is recorded and packaged together with the 
encryption record. Table I below is an exemplary embodiment of an encryption record 
having a time stamp in accordance with a first embodiment of the present invention. The 
"Encrypted Data Block" element contains the time stamp. 



Element Name 


Element Value 


Generating Device 


TitleldCode 


String 


OLES SW. 


ContentTitle 


String 


OLES SW 


EncryptionTime 


Time 


OLES SW 


OLESId 


Long 


OLES Security 
Dev. 


TimeStamp 


Integer 


OLES Security 
Dev. 
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EncryptionMode Integer 


OLES Security 
Dev. 


EncryptedDataVersion Integer 


OLES Security 
Dev. 


EncryptedDataBlock (Key Size) 


OLES Security 
Dev. 



[80] At block 406, the step of adding a cryptographic signature to the 
encryption record is illustrated. The cryptographic signature may be produced by 
encrypting the checksum or hash of the encryption record, for example. The cryptographic 
5 strong signature is added to the encryption record to provide additional security. This 
signature covers every secured field in the encryption record including the time stamp. 

[81] At block 408, the first time stamp is reported as the last permissible 
time stamp. The owner has discovered that the OLES has been compromised, and 
thereafter forwards a report to ERS 104, the report providing the last authorized time stamp 

10 when content was last encrypted when the OLES was in possession of the owner. The 
owner of the OLES is asked to track all encryption records generated by a successful 
session. The encryption records are needed when new ECMs are requested. Hence, this 
procedure is a regular one and provides no additional burden to the OLES owner. Should 
the legal owner discover that an OLES has been compromised, the owner must report the 

15 breach to ERS 104. ERS 104 allows an owner to "report a compromised OLES". In this 
report, the last legal time stamp is one of the fields conveyed to ERS 104. 

[82] At block 409, a request to retrofit a second pre-encrypted content 
generated by a compromised OLES is received fi-om VOD system 108. The request is for 
an ECM having the appropriate key information to allow subscriber access to the second 

20 pre-encrypted content. When received, the request is accompanied by a second encryption 
record having a second time stamp associated with the second pre-encrypted content. 

[83] At decision block 410, the method involves determining by ERS 104 
whether the second encryption record has been altered. This step is accomplished by 
verifying the digital signature. 

25 [84] At block 414, if the second encryption record has been altered or the 

signature is incorrect, ERS 104 denies the request to provide access to the second pre- 
encrypted content. 
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[85] At decision block 412, on the other hand, if no alteration to the 
encryption record has occurred, the method determines whether the second time stamp 
predates or is contemporaneous to the first time stamp. 

[86] At block 416, if the second time stamp predates or is 
5 contemporaneous to the first time stamp, access to the second pre-encrypted content in 

accordance with the request is provided by generating and forwarding the requested ECM to 
VOD system 108. That is, ERS 104 determines that the second time stamp is earlier than 
the last legal time stamp, indicating the second pre-encrypted content was generated while 
in possession of the owner. 
10 [87] At block 414, if the second time stamp is subsequent to the first time 

stamp, the request to provide access to the pre-encrypted content is denied, and no ECM is 
generated by ERS 104. In this manner, the present method ensures that the pre-encrypted 
content generated by a compromised OLES is inaccessible to subscribers, and theft of the 
OLES is discouraged. 

15 

Synchronizing ECM Retrofitting with Periodical Key Changes 
[88] Since ECMs are cryptographically protected by a periodical key, their 
lifetimes are limited by the expiration of the periodical key (although their lifetimes could 
be limited by other factors). As the periodical key of a cable system changes, new ECMs 

20 need to be retrofitted to pre-encrypted programs. The retrofitting of ECMs therefore needs 
to be synchronized with the periodical key renewal process. 

[89] After a new periodical key has been generated and before the 
expiration of the current periodical key, CAS 110 communicates the new periodical key and 
its validity period to ERS 104 over a secured communication channel. This communication 

25 takes place at least ti minutes before the expiration of the current periodical key. VOD 

system 108 commimicates periodically with ERS 104 to perform ECM retrofitting on newly 
introduced and/or existing pre-encrypted programs, to check for scheduled occurrence of 
periodical key changes, or both. VOD system 108 communicates with ERS 104 to perform 
the above function no less often than every ti minutes. Alternatively, ERS 104 may 

30 maintain a list of VOD system (and the addressing information) and forward scheduled 
occurrences of monthly changes to the affected VOD system. While the above is a 
complete description of exemplary specific embodiments of the invention, additional 
embodiments are also possible. Thus, the above description should not be taken as limiting 
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the scope of the invention, which is defined by the appended claims along with their fiill 
scope of equivalents. 
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